Dom Nik I am seeing the issue with DNS cache as well. I haven't opened a case because I just don't have the time right now, but there is definitely something not right. I have firewall rules that only allow certain WAN destinations based on FQDN. Throughout the day users are saying they can't get to a page. When I look into it, the firewall dropped the cache for the sites and has to re-create it.
thanks for your reply. As I'm a Home User, I can provide you more information/log files etc.
Please let me know, how I can help.
My use case are iOS/macOS Apps which do Certificate Pinning for https connections. I created FW rules with FQDN hosts to allow the access without https scanning for them.
For example, a very common banking app in Germany is "Outbank" (available on iOS and macOS) which tries to phone home to "*.stoegerit.com" and tries to contact all configured banking services with https as well afterwards. The current behavior is as follows:
- Do a FW reboot, FQDN cache is empty
- Open the app - https requests are triggered but will fail
- FW creates the needed FQDN cache entries during first call of the app
- App works 1-2 times afterwards, while the FW chooses the right FW rules with the FQDNs
- After some time the App fails again, while the FW has forgotten the FQDNs for these domains
thanks for your reply. As I'm a Home User, I can provide you more information/log files etc.
Please let me know, how I can help.
My use case are iOS/macOS Apps which do Certificate Pinning for https connections. I created FW rules with FQDN hosts to allow the access without https scanning for them.
For example, a very common banking app in Germany is "Outbank" (available on iOS and macOS) which tries to phone home to "*.stoegerit.com" and tries to contact all configured banking services with https as well afterwards. The current behavior is as follows:
- Do a FW reboot, FQDN cache is empty
- Open the app - https requests are triggered but will fail
- FW creates the needed FQDN cache entries during first call of the app
- App works 1-2 times afterwards, while the FW chooses the right FW rules with the FQDNs
- After some time the App fails again, while the FW has forgotten the FQDNs for these domains
I had an opportunity to explore at length xg 17.5. Overall it seems like it's heading in the right direction. Unfortunately for me, several key features will keep me from leaving UTM.
1) No NTP server 2) No dns proxy - I have a number of local host definitions. Can't access them if the dhcp is pushing the isp's dns servers. If I override then everything is super slow while the xg times out before the next dns server is queried.
3) Definition flow- seems definitions are everywhere. In UTM there was one common place for them to be defined.
Hopefully subsequent updates will resolve these shortcomings.
... On the other end, UTM has no IKEv2 ... Which is a very important issue. Important enough that if XG do not do the job for you, you should consider migrating to something else quick.
